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information Commissioner's Office 


ICO consultation on the draft right of access 
guidance 


The right of access (known as subject access) is a fundamental right 
of the General Data Protection Regulation (GDPR). It allows 
individuals to find out what personal data is held about them and to 
obtain a copy of that data. Following on from our initial GDPR 
guidance on this right (published in April 2018), the ICO has now 
drafted more detailed guidance which explains in greater detail the 
rights that individuals have to access their personal data and the 
obligations on controllers. The draft guidance also explores the 
special rules involving certain categories of personal data, how to 
deal with requests involving the personal data of others, and the 
exemptions that are most likely to apply in practice when handling a 
request. 


We are running a consultation on the draft guidance to gather the views 
of stakeholders and the public. These views will inform the published 
version of the guidance by helping us to understand the areas where 
organisations are seeking further clarity, in particular taking into 
account their experiences in dealing with subject access requests since 
May 2018. 


If you would like further information about the consultation, please 


email SARguidance@ico.org.uk. 


Please send us your response by 17:00 on Wednesday 12 February 
2020. 


Privacy statement 


For this consultation, we will publish all responses received from 
organisations but we will remove any personal data before 
publication. We will not publish responses received from respondents 
who have indicated that they are an individual acting in a private 
capacity (e.g. a member of the public). For more information about 
what we do with personal data see our privacy notice. 


Please note, your responses to this survey will be used to help us with 
our work on the right of access only. The information will not be used to 
consider any regulatory action, and you may respond anonymously 
should you wish. 


Please note that we are using the platform Snap Surveys to gather 
this information. Any data collected by Snap Surveys for ICO is 


stored on UK servers. You can read their Privacy Policy. 


Qi Does the draft guidance cover the relevant issues about the right 
of access? No 


This response is made by UCL’s MIRRA (Memory - Identity - Rights in Records - Access). This 
work has been designed and delivered by academics and care leavers in conjunction with the Care 
Leavers Association. The study was approached as a ‘recordkeeping perspective’, meaning that it 
focused on how records are created, conceptualised and mobilised by the people who use them. 
This included social work practitioners, information professionals (such as data protection officers 
and records managers), academic researchers and, most importantly, the children, young people 
and care leavers who the records are about. The study concluded that whilst there are good case 
studies of DPOs processing SARs for care leavers, there were many authorities with poor processes 
in place. Often the process of undertaking a SAR was extremely distressing for care leavers. 


In the light of this context, we conclude that the draft guidance is relatively clear for Data 
Protection Officers (DPOs) and to be welcomed. However, in its procedural tone, it misses an 
important component that prepares a DPO for properly performing the role - this is the impact on 
the individual of the decisions and processes a DPO makes. Even if this is a formal document, this 
nevertheless should be further stressed. We think the significance of this within this general 
document could be evidenced by a couple more case examples and an expanded discussion. We 
are happy to provide a case example. 


In addition, we would strongly stress that this guidance needs to be supplemented by more specific 
and detailed guides for particular groups of people who make SARs. We would like to see a 
supplementary guide for care leavers. There are estimated to be up to half a million people in the 
UK who are care leavers. In such cases the state carries parental responsibilities, which include 
documenting a child’s life. Often these records remain the only tool that a care leaver has to make 
sense of their life and identity. Case law has highlighted that as these records exist and are made 
with the focus as the child, wherever possible the whole set of information should be released. 
However, DPOs do often unnecessarily redact information and do not weight the process 
sufficiently in the favour of the child in care or care leaver. This is because the DPOs are naturally 
risk averse and it appears that redaction is the easiest choice to make. However, this is often not 
the correct choice. More detailed guidance in this domain would have a significant impact in 
empowering DPOs to make the right choices. During the MIRRA project a film was made (available 
at https://www.youtube.com/watch?v=xs28tczL3yA) which does provide a strong case example as 
to why this matters; we would be happy for the ICO to embed the film on the ICO site and link to 
it. We would state, that this particular Guidance as it stands, will not improve processes for this 
community. The ICO need to better empower DPOs in this context, so that they understand the 
choices to be made with clear examples. 


As a separate procedural point, we would note that exemptions on page 46 are not comprehensive. 
As this is highlighted as a general guide this should be addressed. For example it does not cover 
exemptions permitted under GDPR Article 89 and specified in Schedule 2 part 6 to the UK Data 
Protection Act 2018. It was noted that one of the links did not actually take the reader to any text. 


The Guidance is targeted as DPOs but in fact many others often have a role in SARs, e.g. social 
workers. The focus and tone of the Guide should be considered in the light of all those involved in 
SARs. 


We are keen to work with the ICO on specific care leaver SARs guidance. We could write 
a special cases section as an interim solution. The ICO should further consider the 
special needs of certain populations. 


Q2 Does the draft guidance contain the right level of detail? No 


In general yes, but as noted above there does need to be some discussion on the impact of the 
processes to individuals. We strongly suggest that the guidance is supplemented with further case 
specific guidance, e.g. for care leavers. 


We welcome the statement that SARs are a fundamental right and that individuals do not need to 
state their intentions when making a request. In addition, it is beneficial to cover the rights of 
youths from 13 years plus. 


We note the timelines. We would stress that bulk of information and complexity are not 
synonymous. Where delay is necessary, this should not be used as a reason for the individual to be 
pressured into explaining why they want the information or narrowing a request. 


There is mention of retention and deletion policies which is to be welcomed but not the related 
processes. It would be beneficial to emphasize the existence of statutory retention. 


In regard to redaction, more detailed guidance on how to explain redactions in covering letters and 
highlighted within the information provided would be beneficial for the sake of transparency and 
clarity for the individual. Redaction is often overly defensive focused on the organization (which 
employs the DPO) as opposed to the requestor’s rights. More needs to be said on the proper checks 
and balances required, the discretion available to DPOs and a need to look at case contexts, e.g. a 
lot of care records are not protected information. The warning that there is no presumption of 
confidentiality merely because a document is so marked is a useful inclusion in the Guidance. 


We would further note, that often the ‘harm test’ is inappropriately applied when in fact it is the 
redaction that can cause greater ‘harm’. Some further surfacing of this complexity is required 
although this section is generally welcomed. 


The consent expectations should be developed. For care leavers, greater efforts should be made to 
get consents to release information. In addition, organisations should be encouraged to get 
consents when collecting information. 


Some additional mention of the need to consult case law would be helpful and an example of how, 
why and where this matters would be beneficial. 


Organisations, their lawyers and their insurers tend to be defensive. An explanation of why this is 
not appropriate behaviour would be beneficial. 


Some consideration of how to provide the records appropriately and sensitively considering any 
barriers to access would be beneficial. In addition, the suggestion that there should be signposting 
to further support for a range of SARs populations would be beneficial. The need to be clear on 
where and how the information has been located should be mentioned. For care leavers, finding 
their records is a journey and it is important they understand the search processes for an individual 
SAR to make sense of whether they have a complete set of records. We would point to the MIRRA 
work with Family Action to help provide a better journey, see https://www.familyconnect.org.uk, 


Often certain populations do make requests via the agency of third parties. Organisations should be 
clearer on what ID is required in such instances. In addition, we would not wish to see verification 
as a barrier; some flexibility in this regard could be discussed. 


The guide would be more useable with greater cross-referencing. 


Q3 Does the draft guidance contain enough examples? 


O Yes 
X No 
O Unsure/don’t know 


If no or unsure/don’t know, please provide any examples that you 
think should be included in the draft guidance. 


There could be many more examples. We are happy to provide an example detailing the 
case of care leavers’ access requests. 


During the MIRRA research, we found that care leavers received documents where whole 
pages were redacted, with very poor explanations. Often no assessment was made of 
what a care leaver would reasonably know but all third-party data was removed even 


including the names of parents which are available through other avenues and should be 
known to a child. 


Q4 We have found that data protection professionals often struggle with applying and 
defining ‘manifestly unfounded or excessive’ subject access requests. We would 
like to include a wide range of examples from a variety of sectors to help you. 
Please provide some examples of manifestly unfounded and excessive requests 
below (if applicable). 


Q5 Ona scale of 1-5 how useful is the draft guidance? 


1 - Not at all 2 - Slightly 3 - Moderately 4 - Very useful 5 - Extremely 
useful useful useful useful 
o O x] O O 


Q6 Why have you given this score? 


The draft guidance is very useful as a general guide but a 4 has not been scored as the 
need to explain the impact of SARs on individuals is a very significant omission. In 
addition, we would like to see other points in our submission addressed. 


Q7 To what extent do you agree that the draft guidance is clear and easy to understand? 


Strongly Disagree Neither agree nor Agree Strongly agree 
disagree disagree 
0O O O 0O 


Q8 Please provide any further comments or suggestions you may have about the draft 
guidance. 


We welcome this guidance and hope it will be further strengthened and supplemented as 
noted above. 


Q9 Are you answering as: 


O An individual acting in a private capacity (eg someone 
providing their views as a member of the public) 

O An individual acting in a professional capacity 

X On behalf of an organisation 

O Other 


Please specify the name of your organisation: 


MIRRA Research Project (https://blogs.ucl.ac.uk/mirra/), Department of Information 
Studies, University College London. 


What sector are you from: 


University — but representing care leavers. 


Q10 How did you find out about this survey? 


ICO Twitter account 
ICO Facebook account 
ICO LinkedIn account 
ICO website 

ICO newsletter 

ICO staff member 
Colleague 


XR OOOO 


Personal/work Twitter account 
Personal/work Facebook account 
Personal/work LinkedIn account 
Other 


ee A Es ESD WT] 


Thank you for taking the time to complete the survey. 


